On-line Privacy: The FTC Snuffs Out A “History Sniffer”

Most people seem to know that on-line browsing does not occur in a vacuum. As we browse the Web the sites we visit send “cookies” to our browsers that allow those sites to recognize us and keep track of our activity on them. At the same time, advertising websites send “third-party” cookies to us that allow them to track the sites we visit that use that same advertising network. This is so they can send us ads that are targeted toward our apparent interests. In any event, we maintain a level of control in that we can easily delete or block cookies from our computers if we want.

The Problem

Last month, an internet advertiser facing Federal Trade Commission charges agreed to stop engaging in the practice of “history sniffing,” a form of on-line tracking that goes further than the routine and “accepted” use of tracking cookies by advertisers.

History sniffing involves the placement of software code on a website that displays hidden links to web addresses. When a visitor accesses the website, his or her browser will display these links (which remain hidden) in one of two colors, which the software code can see and thereby “learn” about the visitor’s browsing history. Importantly, history sniffing allows an advertiser to track activity on websites outside its network, and we can’t prevent this practice simply by deleting cookies. Nor can we even tell if our browsing history is being “sniffed.”

The Charges

The FTC’s charges against Epic Marketplace, Inc. (“Epic”) and its corporate parent, Epic Media Group, LLC (“EMG”), alleged that Epic had been engaging in history sniffing since as early as March 2010. According to the FTC’s complaint,

“Epic included the history-sniffing code within advertisements it served to visitors on at least 24,000 webpages within the Epic Marketplace Network including, but not limited to, cnn.com, papajohns.com, redcross.com, and orbitz.com . . . The code allowed Epic to determine whether a consumer had visited any of over 54,000 domains . . . History sniffing allowed Epic to determine whether consumers had visited webpages that were outside the Epic Marketplace Network, information it would not otherwise have been able to obtain.”

Moreover, the websites targeted by Epic were geared toward sensitive issues such as health and financial well-being. Epic’s history sniffing activity was uncovered in July 2011 by researchers at the Stanford Security Lab.

The basis for the FTC’s charges was simple: Epic disclosed in its privacy policy that it collected visitor information from the websites included its network, but failed to disclose that it also collected information on whether users had visited sites outside the Epic network. This amounted to a deceptive act or practice under Section 5(a) of the Federal Trade Commission Act.

The Outcome

Epic and EMG have now agreed to a Consent Order with the FTC, and the Commission has accepted the order. The Consent Order specifies three primary directives:

Epic and EMG may not misrepresent the extent to which they maintain the privacy or confidentiality of data, or the extent to which software code on a website determines whether a user has visited the site;

Epic and EMG may not collect any data through history sniffing or use any data obtained by history sniffing; and

Epic and EMG may not use, disclose, sell, rent, lease, or transfer any information collected through history sniffing, and instead they must delete or destroy all such information.

The Order also includes various directives concerning record keeping, reporting, and delivery of the Order to certain current and future employees, and states that it will terminate in 20 years unless the government files a complaint for violation of the Order.

The Future

The Epic/EMG matter is not the first history sniffing case to make the news. Back in 2010, three history sniffing lawsuits, two in New York and one in California, were filed in federal court. All three cases have since been voluntarily dismissed. The lesson learned from those cases was that it may be difficult for plaintiffs to find viable legal theories upon which to bring history sniffing claims. Help could be on the way in the form of pending federal and state legislation, but that remains to be seen.

The legal landscape for history sniffing seems unclear at best. On the one hand, the FTC’s charges against Epic and EMG were based on a failure to disclose the use of history sniffing, not the fact that history sniffing was being used. On the other hand, the FTC’s Order prohibits Epic and EMG from engaging in history sniffing in the future. The picture is muddied further by the fact that private lawsuits directed at history sniffing have proven difficult, and legislative efforts have not moved swiftly. What is clearer, at least according to a report issued this fall by the Berkeley Center for Law & Technology, is that most consumers would prefer not to be tracked on-line.